CVE-2023-21094: 
NixOS vulnerability analysis and mitigation

Vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products (component: Hotspot). The vulnerability affects multiple versions including Oracle Java SE (8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22), Oracle GraalVM for JDK (17.0.10, 21.0.2, 22), and Oracle GraalVM Enterprise Edition (20.3.13 and 21.3.9). This vulnerability was disclosed on April 16, 2024 (Oracle Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 3.7 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is characterized as difficult to exploit and can be accessed through network protocols. It has been classified under CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data) (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. The vulnerability can be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (Oracle Advisory).

Oracle has released patches for this vulnerability as part of their April 2024 Critical Patch Update. Users are advised to update to the latest versions of the affected products. The vulnerability has also been addressed in various downstream products, with some vendors like Broadcom confirming their products are not affected due to the vulnerable code not being controllable by adversaries (Broadcom Advisory).